Ideas

Idea: core, root file with version number ONLY for 3rd-party installers

I am proposing a core, root level file with the current version of WordPress listed in it that could be updated by any in-WP upgrade AND by any 3rd-party installer/upgrader. This would not be what WordPress reads to list the version AND would have NO other function, so would be no security risk.

Per Midphase and other companies, third-party installers like Fantastico cannot determine the version of WordPress installed if you upgrade FROM WordPress rather than their application -- in their process, they update a (for example) a fantversion.php file (I am told this is how all 3rd-party installers do it).

This results in the scenario of a control panel saying you have an older version (whichever they last recorded) and that you need to upgrade even if you have the latest version.

Perhaps... but hosts that use something like Fantastico say that it cannot "know" when you've updated your WordPress application via the WordPress app itself (in the admin's auto-upgrade or otherwise)

I've personally seen this 4 or 5 times since that ability was added to WordPress. Now normally, I'd go into a cpanel and use the Fantastico app itself to upgrade, but with the great new (and fairly reliable) function of doing this in the admin, why bother with Fantastico? (or whatever installer your host uses)?

All of them write their own file to keep track of the version of WordPress THEY install (eg. fantversion.php) They don't monitor YOUR WordPress application to determine if you need to upgrade... they simply look at their file and if they are now offering a later version, tell you need to upgrade... even if you don't!

Of course, you can manually modify THEIR file. Add another task to your list for every upgrade. I'd RATHER not. If a file IN the core of WP behaved like fantversion.php, I believe these companies would take advantage of that and read it.

It seems a logical companion to the internal auto upgrade functions. and by making it external to the admin and a core-level file that only does this one thing, it shouldn't be exploitable.

You could write a plugin that scraps the version and updates the fantversion.php file, but this is a flaw in the 3rd party, NOT in WP. Also you hit the slippery slope with this. How many 3rd party installers should WP support?

Perhaps... but hosts that use something like Fantastico say that it cannot "know" when you've updated your WordPress application via the WordPress app itself (in the admin's auto-upgrade or otherwise)

They should be able to detect that pretty easily, compare the version in wp-includes/version.php (or get_option('version')) to the version they have in their own file, if they don't match then the installation has been updated or modified.

That's a pretty simple thing to do, if your host can't manage a simple comparison check, i'd not trust them to install any application for me, let alone run upgrade routines.